Amendments to the Claims 

The following Listing of Claims will replace all prior versions and listings of claims in 
the application. 

Listing of Claims 

1 . (Currently Amended) A method for providing secure access to applications, the method 
comprising the stops of : 

(a) receiving a request^ from a client system accessed by a u ser, to execute an application 
on a server ; 

(b) determinin g, by a policy system executing on the server and responsive to receiving 
the request, a minimal set of computing privileges necessary for the user to use the 
requested application based in part on an analysis of application requirements ; and 

(c) invoking an execution environment , executing on the server for the use^ having the 
determined set of privileges. 

2. (Currently Amended) The method of claim 1, further comprising the furth e r st e p of: returning 
an identifier for the execution environment to the requesting user. 

3. (Currently Amended) The method of claim 2, further comprising w horoin the identifier is 
used to using the identifier and a remote presentation level protocol to connect the user to the 
execution environment. 

4. (Currently Amended) The method of claim 1 wherein step (a) further comprises receiving a 
an-HTTP-based request from the a -user to execute an application. 

5. (Cancelled). 



U.S.S.N.: 10/710,350 
4444895vl 



Page 2 of 8 



Atty. Docket No.: 2006579-0444 
Client Ref. No.: CTX-090 



6. (Currently Amended) The method of claim 1 wherein analyzing application requirements s tep 
fb Vfurther comprises analyzing requirements of the a a-application executing on the server to 
determine a minimal set of privileges necessary for the user to use the requested application . 

7. (Currently Amended) The method of claim 1 further comprising the step of receiving an 
indication of a dataset on which the application operates. 

8. (Currently Amended) The method of claim 7_S-wherein step (b) further comprises accessing a 
confidentiality policy associated with the identified dataset to determine a minimal set of 
computing privileges necessary for the user to use the requested application. 

9. (Original) The method of claim 1 wherein step (b) further comprises determining a minimal 
set of computing privileges necessary for the user to use the requested application based, at least 
in part, on a role assigned to the user. 

10. (Original) The method of claim 1 wherein step (c) further comprises creating an execution 
environment for the user having the determined set of privileges. 

1 1 . (Original) The method of claim 1 wherein step (c) further comprises identifying a 
previously-existing execution environment for the user having the determined set of privileges. 

12. (Currently amended) The method of claim 1 further comprising the step of receiving from 
the user a request to execute a second application. 

13. (Currently amended) The method of claim 10 further comprising the stops of : 

determining a minimal set of computing privileges necessary for the user to use 
the second requested application; and 
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invoking a second execution environment for the user^ having the second 
determined set of privileges. 

14. (Currently amended) The method of claim 1 further comprising the stops of initiating a 
connection with the a -client syste m associated with the user . 

15. (Currently amended) An application server system providing secure access to hosted 
applications, the system comprising: 

a policy based decision system receiving a request from a user to execute an 
application and determining a minimal set of privileges required by the user to execute 
the applicatio n based in part on an analysis of application requirements ; and 

an account administration service in communication with said policy based 
decision system, the account administration service invoking an execution environment^ 
for the use^ having the determined set of privileges. 

16. (Currently amended) The system of claim 15 further comprising a connection manager in 
communication with said policy based decision system, said connection manager receiving from 
a client system a request by the user to execute the application and the connection manager 
transmitting to said policy based decision system an identification of said user and an 
identification of said application. 

17. (Original) The system of claim 16 wherein said connection manager communicates with the 
client using a presentation level protocol. 

18. (Original) The system of claim 17 wherein said presentation-level protocol is selected from 
the group consisting of RDP, ICA, and X. 
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19. (Original) The system of claim 15 wherein said connection manager transmits an 
identification of the user's role to said policy based decision system. 

20. (Original) The system of claim 15 wherein said policy-based decision system is based on a 
declared plurality of rules. 

21. (Original) The system of claim 15 wherein said policy-based decision system analyzes a set 
of requirements of the requested application to determine a minimal set of privileges required by 
the user to execute the requested application. 

22. (Original) The system of claim 15 wherein said connection manager receives an 
identification of a dataset that the application will process. 

23. (Original) The system of claim 18 wherein said policy based decision system accesses a 
confidentiality policy associate with the identified dataset to determine a minimal set of 
privileges required by the user to execute the application. 

24. (Original) The system of claim 15 wherein said account administration service creates an 
execution environment having the determined minimal set of privileges. 

25. (Original) The system of claim 15 wherein said account administration service identifies a 
previously-existing execution environment having the determined minimal set of privileges. 

26-33. (Cancelled). 
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